| File name: | Spyware.zip |
| Full analysis: | https://app.any.run/tasks/6dced457-1a35-430e-845b-a63359f0e923 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | March 16, 2024, 12:33:30 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v4.5 to extract, compression method=deflate |
| MD5: | 0C84D23AFEC869786DB6B1F729E168E8 |
| SHA1: | CD196BFD838DF776129F611F0E99B16F23B58DEB |
| SHA256: | 0E23533759DAD4EC1CBAB684EB25E2F371D11B0C5E96DD125DB40A8B5EF9597B |
| SSDEEP: | 98304:S8BC5Q11cdi1Kvn5m01NZ8SwGYi1jVnVicrFiYM33dKGmOCROFjYEIR/2gX+rlKP:mim767c |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 4008)
- butterflyondesktop.exe (PID: 128)
- butterflyondesktop.tmp (PID: 1036)
- AgentTesla.exe (PID: 2660)
- butterflyondesktop.exe (PID: 2308)
Unusual execution from MS Office
- WINWORD.EXE (PID: 1928)
Microsoft Office executes commands via PowerShell or Cmd
- WINWORD.EXE (PID: 1928)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 1928)
Changes the autorun value in the registry
- butterflyondesktop.tmp (PID: 1036)
CHIMERA has been detected (SURICATA)
- msedge.exe (PID: 4020)
SUSPICIOUS
Non-standard symbols in registry
- WINWORD.EXE (PID: 1928)
Runs shell command (SCRIPT)
- WINWORD.EXE (PID: 1928)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2148)
BASE64 encoded PowerShell command has been detected
- cmd.exe (PID: 2148)
Script decodes Base64 (POWERSHELL)
- powershell.exe (PID: 2000)
Reads the Internet Settings
- powershell.exe (PID: 2000)
- butterflyondesktop.tmp (PID: 1036)
Base64-obfuscated command line is found
- cmd.exe (PID: 2148)
Reads the Windows owner or organization settings
- butterflyondesktop.tmp (PID: 1036)
Executable content was dropped or overwritten
- butterflyondesktop.exe (PID: 2308)
- AgentTesla.exe (PID: 2660)
- butterflyondesktop.exe (PID: 128)
- butterflyondesktop.tmp (PID: 1036)
Process drops legitimate windows executable
- butterflyondesktop.tmp (PID: 1036)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4008)
Manual execution by a user
- WINWORD.EXE (PID: 1928)
- HawkEye.exe (PID: 840)
- AgentTesla.exe (PID: 3800)
- butterflyondesktop.exe (PID: 128)
- AgentTesla.exe (PID: 2660)
- msedge.exe (PID: 1536)
- msedge.exe (PID: 3084)
- rundll32.exe (PID: 2176)
Checks supported languages
- HawkEye.exe (PID: 840)
- AgentTesla.exe (PID: 2660)
- butterflyondesktop.exe (PID: 128)
- butterflyondesktop.tmp (PID: 992)
- butterflyondesktop.tmp (PID: 1036)
- ButterflyOnDesktop.exe (PID: 2656)
- butterflyondesktop.exe (PID: 2308)
Create files in a temporary directory
- butterflyondesktop.exe (PID: 128)
- butterflyondesktop.tmp (PID: 1036)
- butterflyondesktop.exe (PID: 2308)
Reads the computer name
- AgentTesla.exe (PID: 2660)
- butterflyondesktop.tmp (PID: 992)
- butterflyondesktop.tmp (PID: 1036)
- HawkEye.exe (PID: 840)
Creates files in the program directory
- butterflyondesktop.tmp (PID: 1036)
- AgentTesla.exe (PID: 2660)
Creates a software uninstall entry
- butterflyondesktop.tmp (PID: 1036)
Application launched itself
- msedge.exe (PID: 3084)
- msedge.exe (PID: 3112)
- msedge.exe (PID: 1536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 45 |
|---|---|
| ZipBitFlag: | 0x0800 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:03:16 12:29:44 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | 2 |
| ZipUncompressedSize: | - |
| ZipFileName: | Spyware/ |
Total processes
99
Monitored processes
52
Malicious processes
5
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | "C:\Users\admin\AppData\Local\Temp\Spyware\Spyware\butterflyondesktop.exe" | C:\Users\admin\AppData\Local\Temp\Spyware\Spyware\butterflyondesktop.exe | explorer.exe | ||||||||||||
User: admin Company: Drive Software Company Integrity Level: MEDIUM Description: Butterfly on Desktop Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 292 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1488 --field-trial-handle=1288,i,10684781118231722938,10348266634439508647,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 448 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2524 --field-trial-handle=1288,i,10684781118231722938,10348266634439508647,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 452 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1352,i,17836921698403557329,151406387210573489,131072 /prefetch:3 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 764 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3424 --field-trial-handle=1288,i,10684781118231722938,10348266634439508647,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 840 | "C:\Users\admin\AppData\Local\Temp\Spyware\Spyware\HawkEye.exe" | C:\Users\admin\AppData\Local\Temp\Spyware\Spyware\HawkEye.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 864 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3704 --field-trial-handle=1288,i,10684781118231722938,10348266634439508647,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 884 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xf0,0x64fef598,0x64fef5a8,0x64fef5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 992 | "C:\Users\admin\AppData\Local\Temp\is-0SNUM.tmp\butterflyondesktop.tmp" /SL5="$20284,2719719,54272,C:\Users\admin\AppData\Local\Temp\Spyware\Spyware\butterflyondesktop.exe" | C:\Users\admin\AppData\Local\Temp\is-0SNUM.tmp\butterflyondesktop.tmp | — | butterflyondesktop.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 1036 | "C:\Users\admin\AppData\Local\Temp\is-B0099.tmp\butterflyondesktop.tmp" /SL5="$30270,2719719,54272,C:\Users\admin\AppData\Local\Temp\Spyware\Spyware\butterflyondesktop.exe" /SPAWNWND=$20272 /NOTIFYWND=$20284 | C:\Users\admin\AppData\Local\Temp\is-B0099.tmp\butterflyondesktop.tmp | butterflyondesktop.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
Total events
30 125
Read events
29 249
Write events
622
Delete events
254
Modification events
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Spyware.zip | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (4008) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
34
Suspicious files
279
Text files
128
Unknown types
203
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRBCD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 4008 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Spyware\Spyware\Kakwa.doc | document | |
MD5:9A039302B3F3109607DFA7C12CFBD886 | SHA256:31CA294DDD253E4258A948CF4D4B7AAAA3E0AA1457556E0E62EE53C22B4EB6F0 | |||
| 128 | butterflyondesktop.exe | C:\Users\admin\AppData\Local\Temp\is-0SNUM.tmp\butterflyondesktop.tmp | executable | |
MD5:C765336F0DCF4EFDCC2101EED67CD30C | SHA256:C5177FDC6031728E10141745CD69EDBC91C92D14411A2DEC6E8E8CAA4F74AB28 | |||
| 2000 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:EE4B924574AAA34D5579D92182D76771 | SHA256:9E2717ED76B5D38B219A6BB7DD1F294ABD5CCBF27EE7A2F85C824539622F87EC | |||
| 1036 | butterflyondesktop.tmp | C:\Users\admin\AppData\Local\Temp\is-PACCS.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 2308 | butterflyondesktop.exe | C:\Users\admin\AppData\Local\Temp\is-B0099.tmp\butterflyondesktop.tmp | executable | |
MD5:C765336F0DCF4EFDCC2101EED67CD30C | SHA256:C5177FDC6031728E10141745CD69EDBC91C92D14411A2DEC6E8E8CAA4F74AB28 | |||
| 1036 | butterflyondesktop.tmp | C:\Program Files\Butterfly on Desktop\is-ME1CG.tmp | executable | |
MD5:1FEE4DB19D9F5AF7834EC556311E69DD | SHA256:3D550C908D5A8DE143C5CD5F4FE431528CD5FA20B77F4605A9B8CA063E83FC36 | |||
| 1036 | butterflyondesktop.tmp | C:\Program Files\Butterfly on Desktop\is-V60GG.tmp | text | |
MD5:F68621DA9CCBE320AEBB5807C6F733CB | SHA256:0479A712A54ADA76EAF0BC5F3B57C764880D1540CBE266724D35C4DCBF40E4E2 | |||
| 1036 | butterflyondesktop.tmp | C:\Program Files\Butterfly on Desktop\is-RT43V.tmp | executable | |
MD5:81AAB57E0EF37DDFF02D0106CED6B91E | SHA256:A70F9E100DDDB177F68EE7339B327A20CD9289FAE09DCDCE3DBCBC3E86756287 | |||
| 1036 | butterflyondesktop.tmp | C:\Program Files\Butterfly on Desktop\is-1PQNG.tmp | executable | |
MD5:81AAB57E0EF37DDFF02D0106CED6B91E | SHA256:A70F9E100DDDB177F68EE7339B327A20CD9289FAE09DCDCE3DBCBC3E86756287 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
148
DNS requests
163
Threats
36
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
856 | svchost.exe | GET | 200 | 88.221.255.169:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a121b66c80eb47c4 | unknown | compressed | 67.5 Kb | unknown |
4020 | msedge.exe | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/button.css | unknown | text | 2.71 Kb | unknown |
— | — | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/butterflyondesktoplike.html | unknown | html | 6.04 Kb | unknown |
4020 | msedge.exe | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/slider/slider.css | unknown | text | 6.40 Kb | unknown |
4020 | msedge.exe | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/slider/slider.js | unknown | text | 3.00 Kb | unknown |
4020 | msedge.exe | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/images/bodybackground.png | unknown | image | 11.6 Kb | unknown |
4020 | msedge.exe | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/main.css | unknown | text | 4.15 Kb | unknown |
4020 | msedge.exe | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/images/superman_likeus.gif | unknown | image | 30.8 Kb | unknown |
4020 | msedge.exe | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/images/menubackgroundside2.jpg | unknown | image | 1.35 Kb | unknown |
4020 | msedge.exe | GET | 200 | 78.46.117.95:80 | http://freedesktopsoft.com/images/menubackground2.jpg | unknown | image | 16.4 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1844 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
856 | svchost.exe | 151.106.100.61:443 | megabytemantom.com | Hostinger International Limited | DE | unknown |
856 | svchost.exe | 88.221.255.169:80 | ctldl.windowsupdate.com | Akamai International B.V. | NL | unknown |
4020 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1536 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
4020 | msedge.exe | 78.46.117.95:80 | freedesktopsoft.com | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
megabytemantom.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
bot.whatismyipaddress.com |
| unknown |
config.edge.skype.com |
| whitelisted |
freedesktopsoft.com |
| malicious |
edge.microsoft.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
www.bing.com |
| whitelisted |
connect.facebook.net |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4020 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare Network Error Logging (NEL) |
4020 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge |
4020 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge |
276 | taskhost.exe | Potential Corporate Privacy Violation | ET POLICY Bitmessage Activity |
276 | taskhost.exe | Potential Corporate Privacy Violation | ET POLICY Bitmessage Activity |
276 | taskhost.exe | Potential Corporate Privacy Violation | ET MALWARE Possible Chimera Ransomware - Bitmessage Activity |
276 | taskhost.exe | Potential Corporate Privacy Violation | ET MALWARE Possible Chimera Ransomware - Bitmessage Activity |
4020 | msedge.exe | Misc activity | ET INFO File Sharing Related Domain in DNS Lookup (mega .nz) |
4020 | msedge.exe | Misc activity | ET INFO File Sharing Related Domain in DNS Lookup (mega .nz) |
4020 | msedge.exe | Misc activity | ET INFO File Sharing Related Domain in DNS Lookup (mega .nz) |
1 ETPRO signatures available at the full report
Process | Message |
|---|---|
msedge.exe | [0316/123534.352:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
|